Closed
Bug 811616
Opened 12 years ago
Closed 12 years ago
"Assertion failure: [infer failure] Missing type pushed 0: string," or "Assertion failure: [infer failure] Missing type pushed 0: int,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla19
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | unaffected |
firefox18 | --- | unaffected |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])
Attachments
(2 files)
"".replace(RegExp(), Array.reduce)
asserts js debug shell on m-c changeset 4e9567eeb09e with --ion-eager at Assertion failure: [infer failure] Missing type pushed 0: string,
s-s and assuming sec-critical because this is an type inference failure, which is usually bad. Setting fuzzblocker because this is blowing up the fuzzers.
See bug 811606 and bug 811612.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 113105:3da143341145
user: Till Schneidereit
date: Tue Aug 28 14:35:15 2012 +0200
summary: Bug 784294 - Convert some array extras to self-hosted js implementations. r=Waldo
Reporter | ||
Comment 1•12 years ago
|
||
This may also be related:
[0,0].sort(Array.reduce,RegExp())
Assertion failure: [infer failure] Missing type pushed 0: int,
Reporter | ||
Updated•12 years ago
|
Summary: "Assertion failure: [infer failure] Missing type pushed 0: string," → "Assertion failure: [infer failure] Missing type pushed 0: string," or "Assertion failure: [infer failure] Missing type pushed 0: int,"
Updated•12 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
Comment 2•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd68409d7810).
Reporter | ||
Comment 3•12 years ago
|
||
Bug 784294 was backed out in https://hg.mozilla.org/mozilla-central/rev/dd68409d7810 - "fixing" this.
Till, please add this testcase to future revised patches.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 4•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 5•12 years ago
|
||
I think we can make this public, as the causing code never made a Nightly.
Reporter | ||
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Comment 6•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•